Filtering intrusion detection system events on a single host

Abstract

Embodiments disclosed herein describe a method to determine consequences of a privilege escalation alert from an intrusion detection system, the method comprising the steps of obtaining privilege escalation alert from the intrusion detection system and analyzing said privilege escalation alert information. The analysis further comprises of identifying the program affected by said privilege escalation alert and determining if it can be circumvented. The users affected by said privilege escalation alert and the transitive effects of said privilege escalation alert are identified.

Description

BACKGROUND

[0001] 1. Technical Field

[0002] The embodiments herein generally relate to network management, and, more particularly, to determining the effects of a privilege escalation alert and identifying appropriate response measures.

[0003] 2. Description of the Related Art

[0004] Snort is widely used, open-source software that monitors network packets and identifies attempted privilege escalations on a computer network or on a single host running an exemplary Operating System (Windows XP / Visyta / 2000,2003, Red Hat Linux, Solaris, HP-UX, etc.). Snort detection system identifies that an attempt is made to circumvent a program that takes input from network by listening on a particular port. Snort provides information about the source of the attempt, and the targeted program port and host identification. There are multiple intrusion detection systems available in the market that have above property. They include ISS Intrusion Product, Snort, and other network and host-based intrusion detecti...

Images